Hi Splunkers.
I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website:
https://www.bitdefender.com/business/support/en/77211-171475-splunk.html
but I'm stuck in the "Enable the Splunk integration" step;
In the beginning, I have tried using the "Enable the Splunk integration manually" method, I have put everything in place and run the command in the documentation, but ended up with an error stating that "The web server with this URL must support TLS 1.2, at least" as shown in the below screenshot:
I have reviewed the documenting again in this link:
https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html
Under the "Important" note:
"Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully."
But here is the thing, I think that HEC by default only supports TLSv1.2 despite sslVersions=*
$ cat /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
[http]
disabled=1
port=8088
enableSSL=1
dedicatedIoThreads=2
maxThreads = 0
maxSockets = 0
useDeploymentServer=0
# ssl settings are similar to mgmt server
sslVersions=*,-ssl2
allowSslCompression=true
allowSslRenegotiation=true
ackIdleCleanup=true
I have tried to use:
sslVersions=tls1.2 but nothing happened, it still shows the same issue.
Can someone please help me figure out how to solve this TLS issue?
Afterward, I have tried to use the "Enable the Splunk integration by running a script" method, aging I have put everything in place and run the script, but ended up with an error stating that:
FAIL - server response:
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
as shown in the below screenshot:
Any Idea why this happens?
Much thanks.
Hello,
This meant We cannot use API Push Event to Splunk Cloud Trial, is it right?
Because, When I use this method for Collector trial link port 8088 still face this issue:
{"id":"1","jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params","data":{"details":"The web server with this URL must support TLS 1.2
Thanks
Hello AndyG,
Do you need to modify port 8088 on Splunk Global setting?
I try to do the same your recommend but still face issue.
Thanks
So according to this page:
Port 8088 is only for trial accounts. Full accounts should use port 443 in their command. Hope this helps!
Hello,
I'm facing the same problem when pushing events via API from GravityZone Cloud to Splunk Cloud.
Do you have the guide to troubleshoot it?
Thanks!
Hello Guys, did anyone find any resolution for that issue. i am also facing the same issue. i tried in Splunk cloud and splunk enterprise. getting the same error in both
Did you ever figure out this problem? I have the same issue trying to integrate Bitdefender.
Unfortunately, not yet, I have opened a case with Splunk to work on this but still, the issue is pending ☹️
I've the same error when i try to configure the event push between Splunk and BitDefender. Have you any news about it?
Unfortunately no answer anywhere 🥲
Did you ever get this resolved? Our team is facing the same issue
Unfortunately, I couldn't resolve this, I gave up trying to integrate this with Splunk 😔
For @muradgh and anyone else struggling with this, I've managed to get it working.
The BitDefender guide is out of date/incorrect about the Splunk address to use.
I found the correct format on this page:
Long story short, you need to add http-inputs- before your URL and use port 443, not 8088 as BD say.
So my full URL (with hostname removed, obviously) is:
https://http-inputs-[hostname].splunkcloud.com:443/services/collector
After doing that, I now get the success return value that the BD guide shows. Hope this helps other people!